California Sets the Stage with Sweeping Privacy Law

California Sets the Stage with Sweeping Privacy Law

July 10, 2018By Chiara Portner and Celine Guillou

If your business is not yet paying full attention to privacy and data protection (or quietly waiting for GDPR to play out), California legislators have finally given you the opportunity to do so. On June 28, 2018, Governor Brown signed the California Consumer Privacy Act (AB 375) into law.

The California Consumer Privacy Act will become effective January 1, 2020. While companies will have a year and a half to plan its implementation, preparing to comply with the strictest privacy-related rules in the United States will be quite time-consuming. Many ambiguities and inconsistencies in the Act will need to be amended and clarified by the State’s Attorney General’s implementing regulations, as the Act was hastily drafted within a week (as opposed to over four years of drafting the EU’s General Data Protection Regulation (GDPR) that became enforceable on May 25, 2018), in order to avert a costly showdown over a ballot measure, cleared for a vote in California this fall, with even more stringent requirements.

A “GDPR-esque” Law Rooted in California’s Constitutional Right to Privacy
The Act applies in connection with the personal information of California residents processed by companies, and includes many concepts, such as individual rights, that are reminiscent of the EU’s GDPR. Among those concepts:

“personal information” is defined much more broadly than typical under U.S. privacy laws. Personal information extends to any information that “identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This would include IP addresses, unique identifiers of a particular consumer or device as well as browsing histories and tendencies. In that respect, it is much more akin to personal data under GDPR than the long-used US standard of “PII” or “personally identifiable information”;

transparency, a key tenet for privacy advocates and a core principle of GDPR, is very much at the heart of the Act, requiring businesses to be transparent with consumers about their data collection and processing activities and disclose the categories of personal information they collect, sell, and share; and​

the GDPR’s individual rights, namely the right of access, the right to data portability and the highly contentious right to be forgotten, are all included in the Act.

Companies will also be required to provide consumers with the right to opt-out of the “sale” (also defined very broadly) of their personal information. To do so, companies must have a conspicuous link to a “Do Not Sell My Personal Information” page, which must enable consumers to exercise their right to opt out of the sale of their information.For consumers between 13-16, the consumer would have to provide express opt-in consent to allow their information to be sold. With respect to consumers under age 13, their parent or guardian will have to provide their affirmative consent.

In fact, those who have worked toward GDPR compliance will find themselves one step ahead of the pack.

Who Must Comply?
A company doing business in California will be subject to the Act if the company has annual gross revenues in excess of $25M. Additionally, companies will be subject to the Act if: (a) the company derives fifty percent or more of its annual revenue from selling consumer personal information; or (b) the company annually purchases, receives for commercial purposes, sells, or shares for commercial purposes personal information relating to fifty thousand or more consumers, households, or devices. In other words, the Act has a broad spectrum.

Although companies are prohibited under the Act from charging different prices or providing differing service levels to consumers that exercise their opt-out rights, the Act does allow business to offer certain financial incentives for the rights to collect and sell a consumer’s information.

Under the Act consumers may bring a private action against businesses. It is still unclear if the private right of action applies solely to traditional security breaches or also to violations of the Act.

We will continue to monitor developments, including legislative amendments. California tends to be at the forefront of privacy laws and we expect many states to follow with similar legislation. As with GDPR, we always recommend periodic data audits, as well as maintaining a data flow map – both of which are step one in moving toward compliance with privacy laws that have (and will continue to) become increasingly pro-consumer.

Paradigm Cookie Center

Privacy Overview

A cookie is a small piece of data sent from a webpage and stored in a user’s web browser, mobile phone, or other device while the user is browsing that webpage. Please see our cookie policy for a description of the cookies we use and the purpose of such use before making your choice.

Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site may not work then.

Cookies used:

1P_JAR

APISID

CGIC

HSID

NID

OGPC

SAPISID

SID

SIDCC

SSID

OTZ

_ga

Always Active

Preferences Cookies

These cookies allow the provision of enhance functionality and personalization, such as videos, live chats and your preferred language. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies, then some or all of these functionalities may not function properly.

Cookies used:

Tfw_exp

metrics_token

Inactive

Analytics Cookies

These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site. They help us know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is anonymous. If you do not allow these cookies, we will not know when you have visited our site.

Cookies used:

gtag.js

analytics.js

ga.js

Inactive

Marketing Cookies

These cookies are set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant ads on other sites. If you do not allow these cookies, you will not experience our targeted advertising across different websites.